**Summary** Harden `/api/webhooks/github` by verifying signatures and rejecting replayed events. **Acceptance criteria** - Signature is validated against a secret. - Replayed `delivery` IDs are rejected for a configurable TTL.
Summary
Harden
/api/webhooks/githubby verifying signatures and rejecting replayed events.Acceptance criteria
deliveryIDs are rejected for a configurable TTL.